Article ID: 244523
Article Last Modified on 12/29/2006
APPLIES TO
- Microsoft Exchange Server 5.5 Standard Edition
This article was previously published under Q244523
SYMPTOMS
Consider the following scenario:
- You are logged on to the Microsoft Windows NT domain.
- Your account does not have permissions for another user's mailbox.
- You try to log on to another user's mailbox by using valid credentials for the other user's mailbox.
In this scenario, you may receive the following error messages:
For example, User A is logged on to the Windows NT domain as User A, but wants to access User B's mailbox. User A does not have permissions for User B's mailbox. When User A is prompted for credentials, User A enters User B's Windows NT account, domain, and password, but cannot access User B's mailbox.
CAUSE
This problem may occur if named pipes (ncacn_np) is used as the Microsoft Exchange Client remote procedure call (RPC) protocol.
RESOLUTION
To resolve this problem, use one of the following methods:
- Remove the static mapping for either the Exchange Server directory service or the information store service, as applicable.
Note If a firewall exists in front of the Exchange server, users may be unable to log on to their mailbox if a static mapping is removed. For more information about how to remove the static mapping, click the following article number to view the article in the Microsoft Knowledge Base:270836 Exchange Server static port mappings
- Statically map the ports for either the Exchange Server directory service or information store service, as applicable, to a port that is not being used. We recommend that you map to a port outside the ephemeral range. The ephemeral port range is from port 1024 to port 5000.
Note At a command prompt, run the netstat -an command to view a list of all the ports that are currently registered on the server. Use the list to determine an unused port that you can use to statically map the Exchange Server services. - Run the net use command to the IPC$ share on the Exchange Server computer and use the credentials of the user whose mailbox you want to access.
MORE INFORMATION
RPC that uses named pipes (ncacn_np) establishes its security identity by using the credentials of the user who is logged on to the Windows NT domain. Because named pipe connections are established by the redirector to the server, the security identity is established before RPC communication. Therefore, RPC uses the security context that is established by the redirector, and the dialog boxes generated by Microsoft Outlook that request security credentials do not override this security context. Because the user who is logged on does not have permissions for the target mailbox, the logon process to that mailbox does not work.
You can specify the ncacn_np protocol sequence by modifying the RPC_Binding_Order registry value. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
163576 Changing the RPC binding order
Occasionally the named pipes protocol sequence is used because other protocol sequences did not work.
Other protocol sequences in the RPC_Binding_Order value may not work if either the Exchange Server directory service or information store service is configured to use a static port that is being used at the time that the service starts. This prevents the service from binding to that port and basically disables that protocol for use with that service. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
176466 TCP ports and Microsoft Exchange: In-depth discussion
Additional query words: XCLN
Keywords: kbinterop kbnetwork kbprb KB244523
